Description
ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #141, ClipBucket v5 contains an improper neutralization of SQL wildcard characters in the subtitle editing endpoint. An authenticated user can send a % character as the number parameter to overwrite all subtitle titles of any video they own in a single HTTP request. This issue has been patched in version 5.5.3 - #141.
Published: 2026-06-11
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ClipBucket v5 has an improper neutralization of SQL wildcard characters in its subtitle editing endpoint, allowing an authenticated user to send a percentage sign as the number parameter and overwrite all subtitle titles for videos they own in a single request. This results in mass alteration of subtitle data, compromising content integrity but not granting arbitrary code execution or exposing sensitive data. The flaw corresponds to CWE-155 and CWE-943.

Affected Systems

All installations of the MacWarrior ClipBucket platform version 5.5.2 and earlier are affected. The defect was fixed in release 5.5.3 (commit #141). Users running any earlier release should verify their version and upgrade accordingly.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity. The vulnerability requires authentication and ownership of a video, so the threat is limited to the user’s own content. Because an attacker must first obtain legitimate credentials, exploitation probability is relatively low, and the flaw is not listed in the CISA KEV catalog. Nonetheless, the ability to overwrite all subtitle titles can cause significant disruption to a user’s video data.

Generated by OpenCVE AI on June 12, 2026 at 00:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ClipBucket to version 5.5.3 or later to apply the vendor patch.
  • Modify the subtitle editing API to validate the number parameter and reject or properly escape wildcard characters; use parameterized queries to prevent SQL injection.
  • Implement stricter role‑based access control to ensure only authorized users can perform bulk subtitle edits.
  • Monitor API logs for unusual subtitle edit activity and investigate any unexpected mass modifications.

Generated by OpenCVE AI on June 12, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Macwarrior
Macwarrior clipbucket-v5
Vendors & Products Macwarrior
Macwarrior clipbucket-v5

Thu, 11 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
Description ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #141, ClipBucket v5 contains an improper neutralization of SQL wildcard characters in the subtitle editing endpoint. An authenticated user can send a % character as the number parameter to overwrite all subtitle titles of any video they own in a single HTTP request. This issue has been patched in version 5.5.3 - #141.
Title ClipBucket: SQL Wildcard Injection in Subtitle Edit Endpoint Allows Mass Subtitle Overwrite
Weaknesses CWE-155
CWE-943
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Macwarrior Clipbucket-v5
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-11T22:55:17.738Z

Reserved: 2026-05-30T04:17:43.095Z

Link: CVE-2026-49482

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-12T00:16:19.363

Modified: 2026-06-12T00:16:19.363

Link: CVE-2026-49482

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T00:30:07Z

Weaknesses
  • CWE-155

    Improper Neutralization of Wildcards or Matching Symbols

  • CWE-943

    Improper Neutralization of Special Elements in Data Query Logic